The present invention relates to the field of Governance, Risk and Compliance (GRC). More specifically, the present invention relates to a method and system for managing a plurality of Regulations, Policies and Risks (RPR) to support GRC requirements of an organization.
Organizations need to be compliant with various regulations. These regulations are propagated by various regulatory authorities such as state government, local government, and so forth. Examples of these regulations include, but are not limited to, the Sarbanes-Oxley Act (SOX), the Occupational Safety and Health Act (OSHA), the Health Insurance Portability and Accountability Act (HIPAA), and so forth. Some of these regulations are cross-industry regulations while others are specific to an industry. Industry-specific regulations are called industry standards and they usually provide formats and procedures to be followed in order to comply with the standard. Examples of industry standards include, but are not limited to, Good Practices quality guidelines and regulations (G×P), used in many fields, including pharmaceutical and food industries. Organizations also define internal regulations to improve their performance by defining various internal policies, rules, and so forth.
Presently, organizations comply with various regulations and industry standards by managing them individually. For example, if an organization needs to comply with the SOX and the OSHA regulations, then it defines one system for managing the SOX regulation and another system for managing the OSHA regulation. Typically, committees are formed to determine the policies and processes that the organization needs to follow to comply with a regulation. Further, these committees determine various infrastructural needs for the organization to comply with the regulation. Thereafter, a system is set up to handle the compliance requirements. Typically, the systems designed for managing regulations become outdated with updates in the regulations.
The organizations face a number of problems in managing various regulations and industry standards. Typically, the regulations and industry standards are frequently amended by regulatory authorities. In addition, new regulations are frequently propagated by these regulatory authorities. Therefore, new systems need to be designed frequently for managing various regulations. Furthermore, the existing systems need to be upgraded frequently due to amendments in the regulations. The design and up-gradation of these systems is a manual process. In many cases, various regulations and policies have overlapping compliance requirements. Therefore, managing the regulations becomes effort intensive, duplicated, non-standardized, and prone to discrepancies. These organizations need to monitor the compliance processes regularly. However, frequent amendments in the regulations and standards make it difficult for the organizations to continuously monitor these compliance processes.
In light of the discussion above, there is a need for a method, system and computer program product for efficiently managing various regulations. Further, such a method should be standardized and should enable faster adoption to amendments in regulations. Moreover, such a method should enable continuous monitoring of various compliance processes.